Another Government Security Breach

This time it isn't a stolen laptop. This time it's what security people fear
the most: a system hack.

According to the U.S. Department of Agriculture (USDA), unknown hackers may
have illegally accessed a USDA database containing the names, Social
Security numbers and photos of current and former agency employees.

The USDA said approximately 26,000 Washington, D.C., area employees are
potentially at risk for identity theft. The USDA is providing one year of
free credit monitoring to those affected by the intrusion.

The hack occurred during the first weekend of June. USDA Secretary Mike
Johanns found out about the intrusion on June 6. The USDA said Johanns was
told at that time that no personal identity information was at risk.

However, further forensic analysis revealed that it was "uncertain" whether employee
personal data was adequately protected during the hack, prompting Johanns to
issue a public notice of the intrusion.

"The compromised system was taken offline and put on a new server," Ed Loyd,
a spokesman for the USDA, told internetnews.com. "We don't know yet
who was responsible or how the system was compromised."

Loyd said the USDA had not determined if the compromised data had been
"downloaded," but the agency has an ongoing investigation under way.

"It sounds like they had some level of security on the path, but they didn't
have anything on the data itself. That's egregious," Gordon Rapkin,
president and CEO of security firm Protegrity, told internetnews.com.

"Just because the bank locks the doors at night it doesn't mean they lock
the vault."

Paul Kurtz, executive director of the Cyber Security Industry Alliance
(CSIA), added, "From our view, this is yet another incident of not taking
security seriously. It seems like there's a breach a day in the government."

The latest breach at the USDA -- which has scored an F for five straight
years on the federal computer report card grades issued by the House
Government Reform Committee -- follows breaches at the Veterans
Administration (VA) and the Federal Trade Commission (FTC).

Earlier this week, the FTC admitted two
laptops containing the personal information of 110 people were stolen.

And in May, the VA, which has received an F in four of the last five years on the
annual report cards, reported
the second-largest security breach on record. An employee's stolen laptop
put more than 26 million veterans at risk of identity theft.

As in the USDA case, both the VA and the FTC is offering free credit
monitoring for affected persons. The Senate Appropriations Committee has
earmarked $160 million to cover the cost of the VA's credit monitoring
obligations.

"The cost of the remedy is so far in excess of what it would have cost to
put in protection," Rapkin said. "It's a horrible waste of funds."

In the private sector, Rapkin noted, if a merchant consistently scored F's
on a security check, the cost and liability of a breach would be shifted to
the merchant.

Rapkin added the government should reconsider its "entire policy for
spending on prevention."

The CSIA's Kurtz agreed.

"There needs to be senior-level involvement in reviewing and enforcing
security policies for government agencies," he said. "There needs to be
greater accountability."

Congress is considering a number of data protection and public
breach notice laws. In most of the bills, companies and government agencies
would be exempted from disclosure requirements if they encrypt their data.

"There ought to be an assumption that data is encrypted when it is at rest
or in transit," Kurtz said. "With encryption, a stolen laptop is simply a
stolen laptop."